Vulnerability Description
An issue was discovered in FRRouting FRR (aka Free Range Routing) through 7.3.1. When using the split-config feature, the init script creates an empty config file with world-readable default permissions, leading to a possible information leak via tools/frr.in and tools/frrcommon.sh.in. NOTE: some parties consider this user error, not a vulnerability, because the permissions are under the control of the user before any sensitive information is present in the file
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Free Range Routing | <= 7.3.1 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1830805ExploitIssue TrackingVendor Advisory
- https://github.com/FRRouting/frr/pull/6383PatchThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1830805ExploitIssue TrackingVendor Advisory
- https://github.com/FRRouting/frr/pull/6383PatchThird Party Advisory
FAQ
What is CVE-2020-12831?
CVE-2020-12831 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in FRRouting FRR (aka Free Range Routing) through 7.3.1. When using the split-config feature, the init script creates an empty config file with world-readable default permissio...
How severe is CVE-2020-12831?
CVE-2020-12831 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-12831?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Free Range Routing.